Microprocessor smart cards have been commonly used to protect keys and secret data of given applications from service providers. Being considered as a “tamper resistant” device, the smart cards have been used to protect payment applications from banks, ticketing applications from transportation authorities or biometric data for access control purposes.
Mobile contactless technologies offer a tremendous opportunity to deploy service provider's applications and services via a new form factor token, and secure elements such as SIM cards, micro-SD cards or mobile phone embedded chips has been looked during quite a long time as the right place to securely store the most sensitive part of mobile applications of the service providers.
In spite of the huge potential of the secure elements in terms of secure storage capabilities, several barriers—mostly related to business models and ecosystems complexity—have limited their possibilities to exploit in areas such as mobile contactless payments.
To occupy such space new emerging technologies are coming up, some of them relaying on a new security paradigms, different than traditional secure storage. In current state of the art technology it is possible to “emulate” a smart card by software and to use it in the context of contactless transactions, using the so called “Host Card Emulation” (HCE) technology, currently supported in Blackberry and Android devices; so it is possible to perform NFC payments by using such a software smart card emulation into an smartphone.
Technology exists today to protect the mobile device software applications for payments, transportation, access control, couponing, mobile banking, mobile trading/brokerage, etc., using a combination of techniques for logical security protection.
It is presumed that attacks to gain access to e.g. secret data into software mobile device applications will become more severe in the next coming future, as far the incentive for an attacker to profit from the stored data is currently becoming higher. So it is expected that mobile device software applications, and in particular mobile contactless software applications, will require to gradually incorporate the above referred security protection technologies.
Main weakness of current technologies to protect mobile software applications relates to the fact that they provide the same protection for all replicas (e.g. one per user and per mobile device) of an executable protected application to be delivered to end users, so an attacker may still have the incentive to crack one to then, using the same logic, crack many.
It can therefore be of interest for service providers to have available mechanisms for deploying a different security personalization for each user utilizing a given mobile software application.